Fixed #397 and #398

ladislav-zezula · ladislav-zezula · commit 49b619bae28b · 2025-09-15T15:09:30.000+02:00
diff --git a/src/SBaseCommon.cpp b/src/SBaseCommon.cpp
@@ -1019,6 +1019,11 @@ void * LoadMpqTable(
                 return NULL;
             }
         }
+        else
+        {
+            // pocs/MPQ_2025_06_BadHashTableSize.mpq
+            dwCompressedSize = dwTableSize;
+        }
 
         // Get the file offset from which we will read the table
         // Note: According to Storm.dll from Warcraft III (version 2002),
diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp
@@ -2508,7 +2508,8 @@ TMPQHetTable * LoadHetTable(TMPQArchive * ha)
     TMPQHeader * pHeader = ha->pHeader;
 
     // If the HET table position is not 0, we expect the table to be present
-    if(pHeader->HetTablePos64 && pHeader->HetTableSize64)
+    // Alsom the HET table must have a reasonable size
+    if(pHeader->HetTablePos64 && pHeader->HetTableSize64 && pHeader->HetTableSize64 < BET_TABLE_MAX_SIZE)
     {
         // Attempt to load the HET table (Hash Extended Table)
         pExtTable = LoadExtTable(ha, pHeader->HetTablePos64, (size_t)pHeader->HetTableSize64, HET_TABLE_SIGNATURE, MPQ_KEY_HASH_TABLE);
@@ -2530,7 +2531,7 @@ TMPQBetTable * LoadBetTable(TMPQArchive * ha)
     TMPQHeader * pHeader = ha->pHeader;
 
     // If the BET table position is not 0, we expect the table to be present
-    if(pHeader->BetTablePos64 && pHeader->BetTableSize64)
+    if(pHeader->BetTablePos64 && pHeader->BetTableSize64 && pHeader->BetTableSize64 < BET_TABLE_MAX_SIZE)
     {
         // Attempt to load the HET table (Hash Extended Table)
         pExtTable = LoadExtTable(ha, pHeader->BetTablePos64, (size_t)pHeader->BetTableSize64, BET_TABLE_SIGNATURE, MPQ_KEY_BLOCK_TABLE);
diff --git a/src/StormLib.h b/src/StormLib.h
@@ -292,6 +292,7 @@ extern "C" {
 // Signatures for HET and BET table
 #define HET_TABLE_SIGNATURE         0x1A544548  // 'HET\x1a'
 #define BET_TABLE_SIGNATURE         0x1A544542  // 'BET\x1a'
+#define BET_TABLE_MAX_SIZE          0x00100000  // Maximum acceptable size of HET&BET tables
 
 // Decryption keys for MPQ tables
 #define MPQ_KEY_HASH_TABLE          0xC3AF3770  // Obtained by HashString("(hash table)", MPQ_HASH_FILE_KEY)
diff --git a/test/StormTest.cpp b/test/StormTest.cpp
@@ -3960,8 +3960,8 @@ static void Test_PlayingSpace()
     LPBYTE pbData;
     DWORD dwFileSize = 529298;
     DWORD dwBytesRead = 0;
-
-    if(SFileOpenArchive(_T("c:\\War3.mpq"), 0, 0, &hMpq))
+/*
+    if(SFileOpenArchive(_T("e:\\2.mpq"), 0, 0, &hMpq))
     {
         if(SFileOpenFileEx(hMpq, "(listfile)", 0, &hFile))
         {
@@ -3974,6 +3974,7 @@ static void Test_PlayingSpace()
         }
         SFileCloseArchive(hMpq);
     }
+*/
 }
 
 //-----------------------------------------------------------------------------
@@ -4237,7 +4238,7 @@ static const TEST_INFO1 TestList_MasterMirror[] =
 static const TEST_INFO1 Test_OpenMpqs[] =
 {
 
-    // PoC's by Gabe Sherman, tinh0.
+    // PoC's by Gabe Sherman, tinh0, Zao Yang
     {_T("pocs/MPQ_2024_01_HeapOverrun.mpq"),                    NULL, "7008f95dcbc4e5d840830c176dec6969",    14},
     {_T("pocs/MPQ_2024_02_StackOverflow.mpq"),                  NULL, "7093fcbcc9674b3e152e74e8e8a937bb",     4},
     {_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"),                    NULL, "--------------------------------",     TFLG_WILL_FAIL},
@@ -4255,6 +4256,8 @@ static const TEST_INFO1 Test_OpenMpqs[] =
     {_T("pocs/MPQ_2025_03_InvalidPatchInfo.mpq"),               NULL, "93b885adfe0da089cdf634904fd59f71",     TFLG_WILL_FAIL},
     {_T("pocs/MPQ_2025_04_InvalidArchiveSize64.mpq"),           NULL, "--------------------------------",     TFLG_WILL_FAIL},
     {_T("pocs/MPQ_2025_05_AddFileError.mpq"),                   NULL, "ce9b8afed4221a53663d391f10691ba6",     TFLG_WILL_FAIL},
+    {_T("pocs/MPQ_2025_06_BadHashTableSize.mpq"),               NULL, "00000000000000000000000000000000",     TFLG_WILL_FAIL},
+    {_T("pocs/MPQ_2025_07_BadHetTableSize.mpq"),                NULL, "00000000000000000000000000000000",     TFLG_WILL_FAIL},
 
     // Correct or damaged archives
     {_T("MPQ_1997_v1_Diablo1_DIABDAT.MPQ"),                     NULL, "554b538541e42170ed41cb236483489e",  2910, &TwoFilesD1},  // Base MPQ from Diablo 1
diff --git a/test/stormlib-test-001.txt b/test/stormlib-test-001.txt
@@ -36,6 +36,8 @@ TestReadingMpq (pocs/MPQ_2025_02_SectorOffsetSizeNotAligned.mpq) succeeded.
 TestReadingMpq (pocs/MPQ_2025_03_InvalidPatchInfo.mpq) succeeded.
 TestReadingMpq (pocs/MPQ_2025_04_InvalidArchiveSize64.mpq) succeeded.
 TestReadingMpq (pocs/MPQ_2025_05_AddFileError.mpq) succeeded.
+TestReadingMpq (pocs/MPQ_2025_06_BadHashTableSize.mpq) succeeded.
+TestReadingMpq (pocs/MPQ_2025_07_BadHetTableSize.mpq) succeeded.
 TestReadingMpq (MPQ_1997_v1_Diablo1_DIABDAT.MPQ) succeeded.
 TestReadingMpq (MPQ_1997_v1_patch_rt_SC1B.mpq) succeeded.
 TestReadingMpq (MPQ_1997_v1_StarDat_SC1B.mpq) succeeded.

Original file line number	Diff line number	Diff line change
`@@ -1019,6 +1019,11 @@ void * LoadMpqTable(`
`1019`	`1019`	`return NULL;`
`1020`	`1020`	`}`
`1021`	`1021`	`}`
	`1022`	`+ else`
	`1023`	`+ {`
	`1024`	`+ // pocs/MPQ_2025_06_BadHashTableSize.mpq`
	`1025`	`+ dwCompressedSize = dwTableSize;`
	`1026`	`+ }`
`1022`	`1027`
`1023`	`1028`	`// Get the file offset from which we will read the table`
`1024`	`1029`	`// Note: According to Storm.dll from Warcraft III (version 2002),`
Original file line number	Diff line number	Diff line change
`@@ -3960,8 +3960,8 @@ static void Test_PlayingSpace()`
`3960`	`3960`	`LPBYTE pbData;`
`3961`	`3961`	`DWORD dwFileSize = 529298;`
`3962`	`3962`	`DWORD dwBytesRead = 0;`
`3963`		`-`
`3964`		`- if(SFileOpenArchive(_T("c:\\War3.mpq"), 0, 0, &hMpq))`
	`3963`	`+/*`
	`3964`	`+ if(SFileOpenArchive(_T("e:\\2.mpq"), 0, 0, &hMpq))`
`3965`	`3965`	`{`
`3966`	`3966`	`if(SFileOpenFileEx(hMpq, "(listfile)", 0, &hFile))`
`3967`	`3967`	`{`
`@@ -3974,6 +3974,7 @@ static void Test_PlayingSpace()`
`3974`	`3974`	`}`
`3975`	`3975`	`SFileCloseArchive(hMpq);`
`3976`	`3976`	`}`
	`3977`	`+*/`
`3977`	`3978`	`}`
`3978`	`3979`
`3979`	`3980`	`//-----------------------------------------------------------------------------`
`@@ -4237,7 +4238,7 @@ static const TEST_INFO1 TestList_MasterMirror[] =`
`4237`	`4238`	`static const TEST_INFO1 Test_OpenMpqs[] =`
`4238`	`4239`	`{`
`4239`	`4240`
`4240`		`- // PoC's by Gabe Sherman, tinh0.`
	`4241`	`+ // PoC's by Gabe Sherman, tinh0, Zao Yang`
`4241`	`4242`	`{_T("pocs/MPQ_2024_01_HeapOverrun.mpq"), NULL, "7008f95dcbc4e5d840830c176dec6969", 14},`
`4242`	`4243`	`{_T("pocs/MPQ_2024_02_StackOverflow.mpq"), NULL, "7093fcbcc9674b3e152e74e8e8a937bb", 4},`
`4243`	`4244`	`{_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL},`
`@@ -4255,6 +4256,8 @@ static const TEST_INFO1 Test_OpenMpqs[] =`
`4255`	`4256`	`{_T("pocs/MPQ_2025_03_InvalidPatchInfo.mpq"), NULL, "93b885adfe0da089cdf634904fd59f71", TFLG_WILL_FAIL},`
`4256`	`4257`	`{_T("pocs/MPQ_2025_04_InvalidArchiveSize64.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL},`
`4257`	`4258`	`{_T("pocs/MPQ_2025_05_AddFileError.mpq"), NULL, "ce9b8afed4221a53663d391f10691ba6", TFLG_WILL_FAIL},`
	`4259`	`+ {_T("pocs/MPQ_2025_06_BadHashTableSize.mpq"), NULL, "00000000000000000000000000000000", TFLG_WILL_FAIL},`
	`4260`	`+ {_T("pocs/MPQ_2025_07_BadHetTableSize.mpq"), NULL, "00000000000000000000000000000000", TFLG_WILL_FAIL},`
`4258`	`4261`
`4259`	`4262`	`// Correct or damaged archives`
`4260`	`4263`	`{_T("MPQ_1997_v1_Diablo1_DIABDAT.MPQ"), NULL, "554b538541e42170ed41cb236483489e", 2910, &TwoFilesD1}, // Base MPQ from Diablo 1`